ACP OAuth authorization server

Description of the ACP OAuth authorization server

Authorization server concept

The authorization server issues access tokens to the client application after successfully authenticating the resource owner and obtaining the authorization. 1

Cloudentity Authorization Control Plane (ACP) allows to create multiple authorization servers per tenant.


You may want to create one authorization server for financial APIs and another one for enforcing OAuth clients to use the PKCE extension.

Authorization server features

  • Authorization server is identified by a unique issuer URL, which is a base URL for OAuth/OIDC endpoints, such as /oauth2/authorize, /oauth2/token, /.well-known/openid-configuration, /userinfo.
  • Authorization server has a dedicated jwks key set at /.well-known/jwks.json used to sign IDs and access tokens.
  • Authorization server has a list of supported grant types: you can enforce clients to use only specific OAuth/OIDC flows).

The authorization server allows to enable

  • PKCE enforcement: when enabled, all clients within the authorization server need to use the PKCE extension.
  • Dynamic client registration.

  1. Definition of an authorization server ↩︎